Azure AD User setting Tenant Creation

Andres Bohren

2022-11-24

Hi All,

Since a few Days there is a new Setting in Azure AD User Settings “Tenant creation”

Per default this setting is set to “Yes”. Means that a user with can create a new Azure AD Tenant.

“No” means that only users with “Global Administrator” or “Tenant Creator” Admin Role can create Azure AD Tenants.

I can’t think much of a Szenario where this should be enabled. So setting this to “No” is a secure configuration.

You can have a look ath the Authorization Policy with the Graph Explorer

GET https://graph.microsoft.com/beta/policies/authorizationPolicy

You can view and change the Setting with PowerShell.

Connect-MgGraph -Scopes Policy.Read.All, Policy.ReadWrite.Authorization
Select-MgProfile -Name "beta"
Get-MgPolicyAuthorizationPolicy | fl
(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions
(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions.AdditionalProperties | fl

Allow Tenant creation for Users

#Users can create Tenants
$Param = @"
    {"allowedToCreateTenants": true}
"@
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId "authorizationPolicy" -DefaultUserRolePermissions $Param

Disable Tenant creation for users

#Users can't create Tenants
$Param = @"
    {"allowedToCreateTenants": false}
"@
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId "authorizationPolicy" -DefaultUserRolePermissions $Param

Regards
Andres Bohren